Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

transport tls: Add ensure_fips option to ensure FIPS compliant mode #4720

Merged
merged 1 commit into from
Nov 28, 2024

Conversation

kenhys
Copy link
Contributor

@kenhys kenhys commented Nov 28, 2024

Which issue(s) this PR fixes:

Fixes #3121

What this PR does / why we need it:

ensure_fips option checks whether FIPS mode is
enabled by OpenSSL side.
If FIPS is not enabled in OpenSSL side, it raise an error (blocking launching fluentd) when ensure_fips is true.

NOTE: If FIPS mode is enabled by default, ensure_fips does nothing.

Docs Changes:

Document ensure_fips option in transport-section.

https://docs.fluentd.org/configuration/transport-section#tls-setting

Release Note:

The same as the title.

@kenhys
Copy link
Contributor Author

kenhys commented Nov 28, 2024

It seems that bundled OpenSSL gem provides OpenSSL.fips_mode by default.
So assume OpenSSL.fips_mode is available.

  • ruby-2.7.8
  • ruby-3.0.7
  • ruby-3.1.6
  • ruby-3.2.6
  • ruby-3.3.6

@kenhys kenhys requested a review from daipom November 28, 2024 06:00
@kenhys
Copy link
Contributor Author

kenhys commented Nov 28, 2024

It will stop:

bundle exec fluentd -c fips_in_forward.conf
2024-11-28 15:14:14 +0900 [info]: init supervisor logger path=nil rotate_age=nil rotate_size=nil
2024-11-28 15:14:14 +0900 [info]: parsing config file is succeeded path="fips_in_forward.conf"
2024-11-28 15:14:14 +0900 [info]: gem 'fluentd' version '1.17.1'
2024-11-28 15:14:14 +0900 [info]: using configuration file: <ROOT>
  <source>
    @type forward
    <transport tls>
      ensure_fips true
      ca_cert_path "./secrets/ca_cert.pem"
      ca_private_key_path "./secrets/ca_key.pem"
      ca_private_key_passphrase xxxxxx
    </transport>
  </source>
</ROOT>
2024-11-28 15:14:14 +0900 [info]: starting fluentd-1.17.1 pid=319736 ruby="3.2.6"
2024-11-28 15:14:14 +0900 [info]: spawn command to main:  cmdline=["/home/kenhys/.rvm/rubies/ruby-3.2.6/bin/ruby", "-r/home/kenhys/.rvm/rubies/ruby-3.2.6/lib/ruby/3.2.0/bundler/setup", "-Eascii-8bit:ascii-8bit", "/home/kenhys/.rvm/gems/ruby-3.2.6@fluentd/bin/fluentd", "-c", "fips_in_forward.conf", "--under-supervisor"]
2024-11-28 15:14:15 +0900 [info]: #0 init worker0 logger path=nil rotate_age=nil rotate_size=nil
2024-11-28 15:14:15 +0900 [info]: adding source type="forward"
2024-11-28 15:14:15 +0900 [info]: #0 starting fluentd worker pid=319752 ppid=319736 worker=0
2024-11-28 15:14:15 +0900 [info]: #0 listening port port=24224 bind="0.0.0.0"
2024-11-28 15:14:15 +0900 [error]: #0 unexpected error error_class=Fluent::ConfigError error="Cannot enable FIPS compliant mode. OpenSSL FIPS configuration is disabled"
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/plugin_helper/cert_option.rb:42:in `cert_option_create_context'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/plugin_helper/server.rb:231:in `server_create_for_tls_connection'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/plugin_helper/server.rb:103:in `server_create_connection'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/plugin/in_forward.rb:172:in `start'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/root_agent.rb:228:in `block in start'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/root_agent.rb:217:in `block (2 levels) in lifecycle'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/root_agent.rb:216:in `each'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/root_agent.rb:216:in `block in lifecycle'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/root_agent.rb:203:in `each'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/root_agent.rb:203:in `lifecycle'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/root_agent.rb:227:in `start'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/engine.rb:264:in `start'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/engine.rb:158:in `block in run'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/engine.rb:157:in `synchronize'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/engine.rb:157:in `run'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/supervisor.rb:637:in `block in run_worker'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/supervisor.rb:999:in `main_process'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/supervisor.rb:628:in `run_worker'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/lib/fluent/command/fluentd.rb:378:in `<top (required)>'
  2024-11-28 15:14:15 +0900 [error]: #0 <internal:/home/kenhys/.rvm/rubies/ruby-3.2.6/lib/ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:38:in `require'
  2024-11-28 15:14:15 +0900 [error]: #0 <internal:/home/kenhys/.rvm/rubies/ruby-3.2.6/lib/ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:38:in `require'
  2024-11-28 15:14:15 +0900 [error]: #0 /work/fluent/fluentd/fluentd.work/bin/fluentd:15:in `<top (required)>'
  2024-11-28 15:14:15 +0900 [error]: #0 /home/kenhys/.rvm/gems/ruby-3.2.6@fluentd/bin/fluentd:25:in `load'
  2024-11-28 15:14:15 +0900 [error]: #0 /home/kenhys/.rvm/gems/ruby-3.2.6@fluentd/bin/fluentd:25:in `<main>'
2024-11-28 15:14:15 +0900 [error]: #0 config error file="fips_in_forward.conf" error_class=Fluent::ConfigError error="Cannot enable FIPS compliant mode. OpenSSL FIPS configuration is disabled"
2024-11-28 15:14:15 +0900 [error]: Worker 0 exited unexpectedly with status 2
2024-11-28 15:14:15 +0900 [info]: Received graceful stop

ensure_fips option checks whether FIPS mode is
enabled by OpenSSL side.
If FIPS is not enabled in OpenSSL side, it raise an error
when ensure_fips true.

NOTE: If FIPS mode is enabled, ensure_fips does nothing.

Closes: fluent#3121

Signed-off-by: Kentaro Hayashi <[email protected]>
Copy link
Contributor

@daipom daipom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

@daipom daipom merged commit df3d0c4 into fluent:master Nov 28, 2024
13 of 16 checks passed
@daipom daipom changed the title Ensure FIPS compliant mode by ensure_fips option transport tls: add ensure_fips option to Ensure FIPS compliant mode Nov 28, 2024
@daipom daipom changed the title transport tls: add ensure_fips option to Ensure FIPS compliant mode transport tls: Add ensure_fips option to ensure FIPS compliant mode Nov 28, 2024
@daipom daipom added this to the v1.18.0 milestone Nov 28, 2024
@kenhys kenhys deleted the fips-mode branch November 28, 2024 07:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

FIPS support in Fluentd
3 participants